Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


GOod morning all,

I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.


Community Member

Re: AAA using RADIUS

This has been resolved.

Community Member

Re: AAA using RADIUS


I also want to perform similar activities within my network.

I also do have ACS 4.1 SE, Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers etc in my network. I want to have radius based authentication for the same.

I want telnet, ssh has to be verified by radius server & console by local authentication.

could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

Community Member

Re: AAA using RADIUS

For routers and IOS switches:

aaa new-model

aaa authentication banner *Unauthorized Access Prohibited*

aaa authentication login default group radius

radius-server host (your acs device)

radius-server key cisco123

radius-server configure-nas

username nmg password telnet

aaa authentication ppp dialins group radius local

aaa authentication login nmg local

aaa authorization network default group radius local

aaa accounting network default start-stop group radius

aaa processes 16

line 1 16

login authentication

For CatOS switches:

Set radius-server

show radius

set radius key cisco123

set authentication login radius enable

set authentication enable radius enable

show authentication

set radius timeout 5

set radius retransmit 3

set radius deadtime 3

For Pix Firewalls:

aaa authentication ssh console radius LOCAL

aaa authentication telnet console radius LOCAL

aaa-server radgroup protocol RADIUS

max-failed-attempts 2

reactivation-mode depletion deadtime 5


(NOTE: This will depending on the location of the pix firewall)

aaa-server radgroup (inside) host



aaa-server radgroup(inside) host



This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.

If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.

Hope this helps some. I had alot of help from Cisco TAC on this.


CreatePlease to create content